The article I choose to write about was called “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”. The actual security breach refers to the unveiling of email addresses that belong to some of the most exclusive “A-listers” in finance, politics, media and entertainment. This exclusive group was of the few people in the world that had subscriptions to the iPad 3G. With the exposure of the email addresses and the potential of them getting into the wrong hands, this breach could open the door for spam marketing and malicious hacking. Additionally, the user accounts of nearly 114,000 owners had been compromised through the AT&T network thus exposing their associated Id’s used to authenticate the subscriber on the AT&T network. AT&T was able to close the security hole, however, did not tell their account holders about the issue until it became public information. Although it was determined that the problem was AT&T’s fault, Apple bears the blame because of the requirement of the iPad 3G users to give the company their email addresses to activate the product. Moreover, because AT&T is the exclusive carrier for the product with Apple, it ends up being Apple with egg on their face.
The breach was carried out by a script on AT&T’s website that was easily accessible. Once an ICC-ID was provided along with an HTTP request, the script would return the associated email address. The security group that informed AT&T of this issue was able to then guesstimate users ICC-ID’s through their social media platforms used for personal use. Many ICC-ID’s were words, phrases or other easily identifiable texts that presented themselves on sites like Flickr. Although it may seem that this breach was significant in size, which AT&T acknowledges, however, they question the depth of the actual damage done and downplay the breach as being quite minimal.
Anaylsis:
Scripts are invisible to the visitor's eye but their availability within the code of a website defines how the website behaves in response to certain click requests sent by the user. Each script represents a text document containing a list of instructions that need to be executed by a certain program or scripting manager so that the desired automated action could be achieved. This will prevent users from having to go through many complicated steps in order to reach certain results while browsing a website or working on their personal computers. The text nature of the scripts allows them to be opened and edited with the help of a basic text editor, (NTC Hosting, 2013).
Perhaps the most dangerous aspect of administrative scripting is the easy accessibility scripts have to the system. Users can launch scripts without even realizing that they're doing so; a large number of file extensions are registered to the Windows Script Host, and double-clicking any file with one of those extensions launches the script, (TechTarget, 2013). The goal of any security program should be to allow beneficial, authorized scripts to run, while preventing unauthorized scripts from running. One control that AT&T and Apple could have used was a test run on AT&T's server to uncover any potential harmful scripts. Another control that could have been used would be to install updated software that may have auto corrected the flaw in the system.
Lastly, I believe there is a controls and ethcis issue that should have been implemented when AT&T first found out about the security breach. Immediately upon learning about the problem, AT&T should have informed both Apple and all of the clients that were comprimised. This may have allowed the users to be able to prevent any additional issues associated with both their emails and their user ID's.
The article I choose to write about was called “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”. The actual security breach refers to the unveiling of email addresses that belong to some of the most exclusive “A-listers” in finance, politics, media and entertainment. This exclusive group was of the few people in the world that had subscriptions to the iPad 3G. With the exposure of the email addresses and the potential of them getting into the wrong hands, this breach could open the door for spam marketing and malicious hacking. Additionally, the user accounts of nearly 114,000 owners had been compromised through the AT&T network thus exposing their associated Id’s used to authenticate the subscriber on the AT&T network. AT&T was able to close the security hole, however, did not tell their account holders about the issue until it became public information. Although it was determined that the problem was AT&T’s fault, Apple bears the blame because of the requirement of the iPad 3G users to give the company their email addresses to activate the product. Moreover, because AT&T is the exclusive carrier for the product with Apple, it ends up being Apple with egg on their face.
The breach was carried out by a script on AT&T’s website that was easily accessible. Once an ICC-ID was provided along with an HTTP request, the script would return the associated email address. The security group that informed AT&T of this issue was able to then guesstimate users ICC-ID’s through their social media platforms used for personal use. Many ICC-ID’s were words, phrases or other easily identifiable texts that presented themselves on sites like Flickr. Although it may seem that this breach was significant in size, which AT&T acknowledges, however, they question the depth of the actual damage done and downplay the breach as being quite minimal.
Anaylsis:
Scripts are invisible to the visitor's eye but their availability within the code of a website defines how the website behaves in response to certain click requests sent by the user. Each script represents a text document containing a list of instructions that need to be executed by a certain program or scripting manager so that the desired automated action could be achieved. This will prevent users from having to go through many complicated steps in order to reach certain results while browsing a website or working on their personal computers. The text nature of the scripts allows them to be opened and edited with the help of a basic text editor, (NTC Hosting, 2013).
Perhaps the most dangerous aspect of administrative scripting is the easy accessibility scripts have to the system. Users can launch scripts without even realizing that they're doing so; a large number of file extensions are registered to the Windows Script Host, and double-clicking any file with one of those extensions launches the script, (TechTarget, 2013). The goal of any security program should be to allow beneficial, authorized scripts to run, while preventing unauthorized scripts from running. One control that AT&T and Apple could have used was a test run on AT&T's server to uncover any potential harmful scripts. Another control that could have been used would be to install updated software that may have auto corrected the flaw in the system.
Lastly, I believe there is a controls and ethcis issue that should have been implemented when AT&T first found out about the security breach. Immediately upon learning about the problem, AT&T should have informed both Apple and all of the clients that were comprimised. This may have allowed the users to be able to prevent any additional issues associated with both their emails and their user ID's.